Clear text transmission of sensitive cookie — CodeQL query help documentation CodeQL docs

CodeQL resources

Clear text transmission of sensitive cookie¶

ID: js/clear-text-cookie
Kind: problem
Security severity: 5.0
Severity: warning
Precision: high
Tags:
   - security
   - external/cwe/cwe-614
   - external/cwe/cwe-311
   - external/cwe/cwe-312
   - external/cwe/cwe-319
Query suites:
   - javascript-code-scanning.qls
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Cookies that are transmitted in clear text can be intercepted by an attacker. If sensitive cookies are intercepted, the attacker can read the cookie and use it to perform actions on the user’s behalf.

Recommendation¶

Always transmit sensitive cookies using SSL by setting the secure attribute on the cookie.

Example¶

The following example stores an authentication token in a cookie that can be transmitted in clear text.

const http = require('http');

const server = http.createServer((req, res) => {
    res.setHeader("Set-Cookie", `authKey=${makeAuthkey()}`);
    res.writeHead(200, { 'Content-Type': 'text/html' });
    res.end('<h2>Hello world</h2>');
});

To force the cookie to be transmitted using SSL, set the secure attribute on the cookie.

const http = require('http');

const server = http.createServer((req, res) => {
    res.setHeader("Set-Cookie", `authKey=${makeAuthkey()}; secure; httpOnly`);
    res.writeHead(200, { 'Content-Type': 'text/html' });
    res.end('<h2>Hello world</h2>');
});

References¶

ExpressJS: Use cookies securely.
OWASP: Set cookie flags appropriately.
Mozilla: Set-Cookie.
Common Weakness Enumeration: CWE-614.
Common Weakness Enumeration: CWE-311.
Common Weakness Enumeration: CWE-312.
Common Weakness Enumeration: CWE-319.

© GitHub, Inc.
Terms
Privacy